The time to integrate added security into our country’s personal identification system is upon us.
The Equifax data breach released into the wild 144 million unique U.S. Social Security numbers. Future verifications used to prove identity to a prospective employer, creditor or educational institution should combine biometric security with strong privacy protections—but only with careful consideration of downstream consequences and unintended uses of new technologies.
Here are five key hurdles to improving our consumer identity verification system:
1. Using dynamic data for identification is intriguing, but can erode privacy. Dynamic data is one approach to identity verification in the future. An individual’s location, such as his IP address and geolocation, and physical person, such as his biometric, genetic and behavioral data, already are available, but they can further chip away at our privacy as they are integrated into old systems.
2. Identifiers must be easily leveraged across multiple transaction types and platforms. The nine-digit Social Security number (SSN) is easy to use and low-tech. It can be used via land line while fingerprint scans may require more technology to verify when a user is not physically present.
3. Biometric data presents potential for extrapolated use. Outside applications could easily tap biometric data for other uses. Businesses already analyze customer data to predict likely behaviors. Government agencies, businesses and data traders could use the information that’s typically stored on our devices to further classify and categorize an individual, then use it for a range of decisions from the mundane (target marketing) to the discriminatory (job screening).
4. Behavioral biometric data also may be used outside of identity verification. Behavioral biometrics can track our behavior and find patterns. They can even trigger flags when there’s a break in the usual pattern, similar to the expert systems that flag credit card fraud. While this could be a powerful tool to root out identity thieves, there is the potential misuse of its data collection by everyone from insurance companies to divorce lawyers.
5. Legislation to restrict uses of authentication data is needed. It would be naïve to believe that a self-regulating approach to these types of data collection behaviors will work. The only way to ensure that businesses and government, as well as the public they serve, can move to the next stage in identification and security is to legislate restrictive uses of these types of authentication data and the information gleaned from it. While the general consensus under privacy regimes in North America and Europe is that biometric data is personal information, the restrictive use of that data under both current and pending regulations is opaque at best.
Our old friend the Social Security number was originally intended to identify Social Security beneficiaries but it has morphed into an identifier for creditworthiness, state and federal income tax payment, a Medicare identifier and more. To expect that new forms of identification and verification won’t also be co-opted in unintended ways would be foolish at best and dangerous at worst.
Eduard Goodman is global privacy officer at CyberScout.